How cyber criminals are embracing voice morphing

Like most digital technology, including the Internet itself, voice morphing, digitally reproducing a specific human voice, was initially a military-based technology that is now being harnessed by organised criminal groups (OCGs).

Originally created to be deployed in psychological operations, PSYOPS in US military jargon, digital morphing was developed just after Iraq's invasion of Kuwait in 1990.

According to the Washington Post, covert operators were experimenting with the idea of making a fake recording of Saddam Hussein weeping or in a compromising situation. This was to have been distributed throughout Iraq and the Arab world in order to weaken his leadership.

Voice "morphing" technology was initially developed and refined at the Los Alamos National Laboratory in New Mexico, subsequently enabling real-time cloning of an individual’s speech patterns. To test the technology, the scientists took recordings of generals’ voices and experimented with fake statements such as the voice of former US Secretary of State Colin Powell saying: “I am being treated well by my captors”.

Criminals now downloading off-the-shelf voice morphing

The US developed voice morphing technology to use as a covert weapon against its adversaries. But as the technology has become more accessible, organised criminal gangs are now starting to download off-the-shelf voice morphing products. These can then be harnessed for attacks on corporate IT systems.

For example, organisations such as law firms and private equity houses are now already being hit by socially engineered "Friday afternoon" attacks. These often occur at the end of the week when executives and their staff are about to leave for the weekend. KCS has encountered an increase in this activity at a high level. Typically, an email, or in many cases, a phone call, is made from from someone claiming either to work for the company or to be in close affiliation. The OCGs carrying out these attacks have generally done their homework to the extent that the content of the email or the telephone call appears genuine.

Law firms are reporting a growing number of these attacks. A typical example would be a hacker calling in and pretending to be a senior partner requested an urgent funds transfer to a client. A London hedge fund, Fortelus Capital Management, was recently reported to have lost £740,000 in a single afternoon after the finance chief answered a call purporting to come from the hedge fund's bank Coutts. The scammer claimed that there had been fraudulent activity on the account and it is reported he tricked the finance chief into revealing sensitive security details in order to steal from the firm. It is believed that the attack was effective because it had been successfully socially engineered, in that the hackers had done their homework and learnt as much as they could about the relationship between the hedge fund and its London-based bank.

In the wake of this and other attacks, staff in financial organisations have been urged to be suspicious of incoming calls from a voice they do not recognise. But the new generation of voice morphing software is now enabling OCGs to mimic any executive's voice. So even a voice you think you know well may turn out to be a subterfuge on the part of a criminal gang preparing to ruthlessly fleece your unsuspecting company for everything it can steal, blackmail or sell. Companies who merely lose a few million dollars via a cash transfer requested by the fake voice will be able to count themselves lucky. By mimicking the voice of the chief information officer, it would take the OCG only one or two calls to take absolute control of the corporation's entire database and communications system. The unfortunate company would be lucky to survive its subsequent financial and reputational losses.

The security industry is often accused of hyping up the level of risk to encourage business. But, just because the OCGs have only just begun to adopt voice morphing, it does not mean that the threat level may not soon start to escalate. The history of the digital revolution so far shows that, once a genuinely useful technology is launched into the mainstream, it spreads like wildfire.

Mobile phone texting is an obvious example. The Nokia telecoms engineers who invented texting did not envisage it as having a commercial use and merely installed the software to communicate across the mobile network among themselves. It was only when customers started adopting it themselves that the mobile phone industry knew it had a money spinner on its hands.

It is a killer application for OCGs

And while today's highly sophisticated voice morphing technology is not of much use to honest folk, it is a killer application for the OCGs as, initially at least, almost everyone will be taken in by a voice that appears to come from their boss, their most trusted fried or even their spouse. All the hacker needs is a voice sample. This could be obtained via a telephone conversation or a video recording (a few important executives do not have video interviews with themselves made widely available).

The truly sinister aspect of voice morphing is that it can also be used for a wide range of nefarious purposes. Politicians and presidents' voices could be faked by terrorists and important individuals could be lured into being kidnapped by the voice of someone they trust unquestioningly.

In future, voice calls may have to be treated with the same caution given to incoming emails until there is a technical solution to the threat, such as truly accurate voice recognition software designed to verify a caller's true identity.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe.